Hi,
Sorry to bother again with this, but does anyone have any insight on this layer
group security issue?
I would be happy with something, even just a confirmation if this is a feature
or a bug?
Thanks and have a nice day.
BR,
Joni
On 2.3.2021, 11.54, "Joni Hämäläinen" wrote:
Hi,
I am struggling, as I can't get a simple layer group to be visible in
GetCapabilities response for unauthenticated users.
I am fairly certain there is some issue/bug regarding data security and
layer groups.
Similar problems have been posted by other users, but I don't see any real
solutions in the answers:
https://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/CADQ3-ytgSi7mF-ap9fukMWKF_hbKcqAPVYN%2BOWHa_NBm%2BxVOJw%40mail.gmail.com/#msg36625778
https://osgeo-org.atlassian.net/browse/GEOS-9376
Use case is to bundle few cascaded layers to a single group, that would be
listed for a web app. Listing the layers naturally is done via GetCapabilities.
I have a workspace "example.com", which contains the cascaded store, the
layers I want to group and the layer group itself.
I can see the layer group in the GetCapabilities when I am logged in to
Geoserver. But making the same request from unauthenticated browser session
results in that layer group disappear from the GetCapabilities document. All
advertised "normal layers" in the same workspace list fine in GetCapabilities
for both authenticated and unauthenticated users.
Result is the same with either SINGLE/OPAQUE CONTAINER/NAMED TREE setting
for the layer group. (In the end I would like to set it as OPAQUE CONTAINER).
And note: I can make GetMap requests to the layer group, it works fine as
it should be! The inconsistency is that it does not appear in the
GetCapabilities.
I've come to conclusion that there is some inconsistency with the data
security settings and layer groups, as eventually I can get the layer group
appear in the GetCapablities for unauthenticated users. But this requires to
relax security to level which I'm not comfortable with.
The starting point with security settings, that make the layer group NOT
visible in the GetCapablities for unauthenticated users (but GetMap works):
*.*.r=ADMIN
*.*.w=GROUP_ADMIN,ADMIN
example.*.r=*
mode=HIDE
I tried adding "example..r=*", no luck.
I tried adding "example..r=*", no luck
Eventually I tried to remove the "ADMIN" requirement for read all, so the
settings became:
*.*.r=*.
*.*.w=GROUP_ADMIN,ADMIN
example.*.r=*
mode=HIDE
And tada, the layer group appeared to the GetCapabilities document for
unauthenticated users.
But naturally I would not like to expose everything readable by default.
And I am confused, because having the workspace read for everybody works with
normal layers, as in they appear in GetCapabilities. But a simple layer group
in the workspace is not included in the GetCapabilities.
I tried to go through the source code and even some test cases, but I
couldn't find anything relevant to this with my limited knowledge of the code
base.
Can anyone confirm, that there is a problem with this regarding layer
groups appearing in GetCapabilities? Or is this an intended feature?
I feel it pretty strange, that I can happily make a GetMap request to this
layer group, but it doesn't appear in the Capabilities.
Thank you very much for any feedback on this.
Best regards,
Joni
___
Geoserver-users mailing list
Please make sure you read the following two resources before posting to
this list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
___
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users